Patching Windows In A Task Sequence


Managing Windows updates with MDT scripts.

  • Share on Google+

To have a updated image with latest Windows patches is really important. If the Software Update Point role isn’t installed, this is might be the best solution for handling updates in a task sequence / image capture situation.

Since the build-in Install Software Updates step uses the SUP and the downloaded updates in sccm, it’s not an option to use that.

The script to use is called ZTIWindowsUpdate.wsf, and is actually part of the Microsoft Deployment Toolkit, the latest version right now is build 8450 with support for Windows 10 – 1709.

What does the script do?

What it does, is actually the same as when the Check for updates button is clicked in Windows. It searches and install all updates necessary from Microsoft update site or wsus. Rebooting as required until no more updates are needed. The script is created to run in a task sequence, logging to it’s own logfile for easy debugging.

Setup / installation

Start by downloading the latest Microsoft Deployment Toolkit and run the msi installer. Note the install location.

When the installation completes, browse to the location where the toolkit installed. Default location for the folder where the scripts are located is:

C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Scripts

Find the following two scripts and copy them to a empty folder on a sccm package share.

Now create a new package in sccm pointing to the folder containing the two scripts. Remember to click Distribute Content on the package.

In the task sequence add a Run Command Line step. If the script is used in a Build and Capture task sequence, remember to place this step after Setup Windows and Configuration Manager step.

In the Command line enter:

cscript.exe ZTIWindowsUpdate.wsf

Check to use a package and browse to select the newly created package containing the update scripts, as below.

Tips and Tricks

If Office is captured into the image, I recommend to make it a two step process.
As seen in the screenshot above, place the first update step right after OS and language pack installation steps. Then Install Office, and after that place the second update step, to get all the Office updates.

I experienced some issues if I only used one update step after the Office installation. The script would install Windows and Office updates fine, but eventually the script went into a reboot loop, and the capture step failed in the end.

After I switched to the two step method, I haven’t had any issues at all.

WSUS

The script will download updates from Microsofts update site. But if a WSUS server is available on the network, the script can be configured to use it by setting the following task sequence variable before the ZTIWindowsUpdate runs.

Variable: WSUSServer
Value: http://wsusfqdn:8530

Max allowed updates.

By default the ZTIWindowsUpdate script is configured to install maximum 100 updates and reboot 7 times. If the OS needs more than 100 updates, the values can be adjusted in the Global Constants section in the ZTIWindowsUpdate.wsf script.


'//----------------------------------------------------------------------------
'//  Global Constants
'//----------------------------------------------------------------------------

Const MSIT_WU_REBOOT_MAX = 7
Const MAX_UPDATES = 100


'//----------------------------------------------------------------------------
'//  Main Class
'//----------------------------------------------------------------------------

  • Cory
    Reply
    Author
    Cory

    Pointing to WSUS if using SCCM for patching do you just point it to SCCM “WSUS” or should you use native SCCM Install Software Updates? Only want approved Patches to be applied.

    • Casper Nielsen
      Reply
      Author
      Casper Nielsen

      Defining the variable WSUSServer will only tell the script to use a specific WSUS server to use for updates.
      So it’s basically the same as a Windows client hitting “Check for updates” button.

      I our setup I don’t have WSUS installed on the SCCM server and don’t use it for client patching.
      If you only want to apply some specific updates you might want to use the Offline servicing feature on the wim image itself.
      It inject the patches into the wim file and build a new updated image with the updates.

      I have experienced that, if you use offline servicing with many updates that it can fail.
      So try so with a limited number like max 50 updates at a time.